Xnest: fix memleak on user specified depth

Buffer overflow may happen on user specificed different depth/class: xnestOpenScreen() looks into the wrong table: it's local visuals[] array, instead of the global (non-dedup'ed) list fetched by xlib. The visuals[] array is *much* smaller (deduplicated) than the xnestVisuals[] array, and xnestDefaultVisualIndex is likely to point outside of visual[]'s bounds. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2024-08-15 10:58:18 +02:00 · 2024-08-15 10:58:18 +02:00 · c6ca7b64f2
parent ecb8ca56b5
commit c6ca7b64f2
3 changed files with 5 additions and 27 deletions
--- a/hw/xnest/Display.c
+++ b/hw/xnest/Display.c
@ -43,7 +43,6 @@ is" without express or implied warranty.
 Display *xnestDisplay = NULL;
 XVisualInfo *xnestVisuals;
 int xnestNumVisuals;
-int xnestDefaultVisualIndex;
 Colormap *xnestDefaultColormaps;
 static uint16_t xnestNumDefaultColormaps;
 int xnestNumPixmapFormats;
@ -92,29 +91,6 @@ xnestOpenDisplay(int argc, char *argv[])
    if (xnestNumVisuals == 0 || xnestVisuals == NULL)
        FatalError("Unable to find any visuals.\n");

-    if (xnestUserDefaultClass || xnestUserDefaultDepth) {
-        xnestDefaultVisualIndex = UNDEFINED;
-        for (i = 0; i < xnestNumVisuals; i++)
-            if ((!xnestUserDefaultClass ||
-                 xnestVisuals[i].class == xnestDefaultClass)
-                &&
-                (!xnestUserDefaultDepth ||
-                 xnestVisuals[i].depth == xnestDefaultDepth)) {
-                xnestDefaultVisualIndex = i;
-                break;
-            }
-        if (xnestDefaultVisualIndex == UNDEFINED)
-            FatalError("Unable to find desired default visual.\n");
-    }
-    else {
-        vi.visualid = XVisualIDFromVisual(DefaultVisual(xnestDisplay,
-                                                        xnestUpstreamInfo.screenId));
-        xnestDefaultVisualIndex = 0;
-        for (i = 0; i < xnestNumVisuals; i++)
-            if (vi.visualid == xnestVisuals[i].visualid)
-                xnestDefaultVisualIndex = i;
-    }
-
    xnestNumDefaultColormaps = xnestNumVisuals;
    xnestDefaultColormaps = xallocarray(xnestNumDefaultColormaps,
                                        sizeof(Colormap));
--- a/hw/xnest/Display.h
+++ b/hw/xnest/Display.h
@ -27,7 +27,6 @@ is" without express or implied warranty.
 extern Display *xnestDisplay;
 extern XVisualInfo *xnestVisuals;
 extern int xnestNumVisuals;
-extern int xnestDefaultVisualIndex;
 extern Colormap *xnestDefaultColormaps;
 extern int xnestNumDefaultClormaps;
 extern int xnestNumPixmapFormats;
--- a/hw/xnest/Screen.c
+++ b/hw/xnest/Screen.c
@ -264,8 +264,11 @@ xnestOpenScreen(ScreenPtr pScreen, int argc, char *argv[])
    }
    visuals = reallocarray(visuals, numVisuals, sizeof(VisualRec));

-    defaultVisual = visuals[xnestDefaultVisualIndex].vid;
-    rootDepth = visuals[xnestDefaultVisualIndex].nplanes;
+    if (!found_default_visual) {
+        ErrorF("Xnest: can't find matching visual for user specified depth %d\n", xnestDefaultDepth);
+        defaultVisual = visuals[0].vid;
+        rootDepth = visuals[0].nplanes;
+    }

    if (xnestParentWindow != 0) {
        xRectangle r = xnestGetGeometry(xnestUpstreamInfo.conn, xnestParentWindow);